[Opendnssec-user] Change DS algorithm type

(Berry) A.W. van Halderen berry at nlnetlabs.nl
Mon Feb 1 23:26:22 UTC 2021

Dear Dennis,

On Mon, Feb 01, 2021 at 11:21:30AM +0100, Dennis Baaten via Opendnssec-user wrote:
> When performing tests using DNSViz.net, the algorithm used for creating the
> DS is shown: Digest type / Digest alg. For the record: this is not the same
> as the DNSSEC algorithm
> (https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xh
> tml). 
> As the DS Digest type is currently set to "1" (which is SHA-1) I would like
> to change this in my ODS configuration. However, I cannot find any
> documentation on how to change this and which values are supported. RFC5155
> only mentions SHA-1: https://tools.ietf.org/html/rfc5155#section-11.
> My guess is that it is related to this section in kasp.xml:
> <NSEC3><HASH><Algorithm>1</Algorithm></HASH></NSEC3>. If so, then I'm also
> guessing (based on testing other domains using DNSViz) that I can change
> this to "2" being SHA-256. 

The hash for generating a DS is something different from the hash used in
NSEC3 records.  A DS record points to a DNSKEY record by hashing it.
This needs to be secure, so yes a SHA-1 hash no longer suffices.
OpenDNSSEC no longer outputs SHA-1 hashes unless you explicitly request it
to do so.  Getting a hash as soon as a new KSK is ready is obtained by

  ods-enforcer key export -z example.com --ds

If the KSK is already active you will have to use an additional -e flag.

The hashing used for NSEC3 does not need to be so precise.  You cannot
create a false hash as the NSEC3 records themselves are signed.  The
only reason for hashing it to avoid easy zone walking (ie. retrieve all
names from a zone).  You can only make this a bit harder with other
hashing algorithms at great expense of all.  So basically not worth it
and never done.

> Last but not least: any thoughts on how to perform this algorithm rollover?

Algoritm rollovers are another thing.  This is the algorithm used by the KSK
itself to sign the DNSKEY set.  The answer is simple.  Just update the
Algorithm of the KSK or ZSK in the kasp.xml and reread this policy file
using "ods-enforcer policy import".  The next rollover will be an algorithm


More information about the Opendnssec-user mailing list